Cybersecurity and HIPAA compliance are essential for any organization that handles protected health information. However, even with the best of intentions, mistakes can still be made. In this blog post, we’ll explore the five most common HIPAA compliance mistakes and provide guidance on how to remediate/solve them. Knowing how to fix these common mistakes is key to keeping your organization compliant and secure.

Lack of Risk Assessment

A risk assessment is a key component of any HIPAA compliance program. It’s a comprehensive process that helps organizations identify and address potential risks to the security and privacy of protected health information (PHI). Under the HIPAA Security Rule, all covered entities and business associates are required to conduct periodic risk assessments.

The purpose of a risk assessment is to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI. Once identified, organizations can then take steps to address these risks and ensure compliance with the HIPAA Security Rule. The risk assessment should be conducted on an ongoing basis and should include:

A review of existing policies and procedures related to PHI.  Policies & procedures should be reviewed at least annually (or more often if there’s a material change to regulations, the structure of the organization, or staff changes).  There are certain policies that HIPAA requires for every organization, so it’s important to ensure that those policies exist for your organization.

An inventory of existing systems used to store and transmit PHI.  To conduct a proper risk assessment, your organization must have an accurate inventory of the existing systems in use along with a description of their function and whether or not those systems contain and/or transmit PHI.

Assessment of technical safeguards for protecting PHI.  Although HIPAA does not dictate what technical safeguards should be in place (except for encryption), it does require that your organization have them in place.  The type and scope of technical safeguards will largely depend on the size of your organization, the overarching concepts are the same: authentication, authorization, audit, and transmission security.

Identification of potential threats and vulnerabilities.  It’s impossible to know if there are potential threats to your organization if no system for monitoring is set up, deployed, and utilized continuously.  At a minimum, every organization should have antivirus and antimalware protection on all systems and a firewall or unified threat management (UTM) device to inspect inbound and outbound traffic.

Analysis of the potential impact of threats and vulnerabilities on PHI.  Analysis of threats and vulnerabilities goes hand-in-hand with identifying them.  Every vulnerability carries varying degrees of potential impact on your organization, and it is only through a comprehensive risk assessment practice that you can adequately identify that impact and remediate it as necessary.  This brings us to…

Development of risk mitigation strategies.  Developing a mitigation strategy is a key aspect of a risk assessment methodology.  The manner of mitigation will vary from risk to risk, and it requires key stakeholders to dictate the amount of risk they’re willing to accept, and what risk must be mitigated.

By conducting a thorough risk assessment, organizations can ensure that they are compliant with HIPAA regulations and that their PHI is secure.

Lack of Employee Training

Under HIPAA, covered entities and business associates are responsible for ensuring that their employees receive appropriate training on security awareness. Training should include information on the organization’s policies and procedures, potential threats to patient data, and an understanding of the employee’s role in protecting sensitive health information.

Specialized training may be necessary for some employees based on their job role. For example, individuals responsible for the maintenance or implementation of the organization’s security measures should receive additional training to ensure they understand the technical aspects of their job.

It is important to ensure that employees stay up-to-date with security awareness training.

Training should be conducted regularly – at least annually – so that employees are aware of the latest security threats and compliance requirements. Additionally, security awareness training should be conducted any time there is a change in policies or procedures related to the protection of sensitive health information.  This can help to reduce the chances of violations due to lack of knowledge.

Organizations must also track employee training records and document the attendance and results from each session. Keeping records can help you identify which areas need improvement and provide evidence of your efforts to keep staff informed if needed.

At a minimum, HIPAA awareness training should contain the following topics: HIPAA background, key terms & vocabulary, Privacy & Security Rules, patient rights under HIPAA, HIPAA violations, security best practices, and a review of organizational policies & procedures.

Inadequate Physical Safeguards

Physical safeguards are a critical part of maintaining HIPAA compliance. They refer to measures taken to protect the physical security of electronic Protected Health Information (ePHI) and physical (non-electronic) PHI. Under HIPAA, covered entities and their business associates must protect ePHI from unauthorized access, use, disclosure, or destruction.

When it comes to physical (non-electronic) PHI, best practices include ensuring that any documents containing PHI are stored securely and locked away when not in use. Documents should be shredded before disposal, and only authorized personnel should have access to them.  Additionally, having a clean desk policy will further enhance the security posture of physical PHI.  A clean desk policy means that any sensitive information is placed in a drawer or cabinet when an employee is away from their desk. 

For electronic PHI, physical safeguards are needed to protect the integrity of systems and networks. This includes locking doors to server rooms and computer labs, as well as taking steps to protect systems from natural disasters such as floods, fires, and other disasters. Access to server rooms should be restricted to authorized personnel only, and an access log should be maintained whenever someone other than those authorized needs to access the area (for example, maintenance personnel who need to perform repairs on HVAC systems).

Implementing best practices for handling physical safeguards can help protect PHI from unauthorized access and help maintain a secure environment.

Lack of Access Control

Access control is a security measure that is used to limit access to protected data. HIPAA requires covered entities and business associates to implement technical, administrative and physical safeguards that protect the confidentiality, integrity and availability of protected health information (PHI). This includes granting only authorized users access to PHI. Unauthorized access can lead to breaches in security and patient privacy.

Unfortunately, some organizations do not have proper access control in place. This can occur when organizations grant too many users with access to PHI or when they fail to review and revoke access rights when an employee leaves the organization. Additionally, some organizations may allow users to access PHI without requiring authentication, such as a username and password.

Best practices for implementing access control include regularly auditing user access rights, limiting access to only those who need it, encrypting PHI, setting expiration dates on user access, monitoring attempts to access PHI, and regularly reviewing user accounts. Additionally, each user should have a unique login and be required to authenticate before accessing PHI. Organizations should also ensure that all access points are secure and that only authenticated users are granted access.

Improper Disposal of PHI

Proper disposal of PHI is necessary to protect the privacy and confidentiality of patient’s PHI and to prevent any potential harm.  Unfortunately, many organizations do not have proper practices in place to dispose of PHI securely.

When disposing of PHI, covered entities and their business associates must take appropriate steps to prevent unauthorized access to the PHI. When disposing of physical PHI, it should be shredded or incinerated to ensure that it cannot be accessed or used by anyone else. When disposing of electronic PHI, it should be securely deleted using appropriate data deletion software.

Best Practices for Proper Disposal of PHI:

1. Shred or incinerate all paper documents containing PHI before discarding them.

2. Utilize a reputable third-party vendor for secure disposal of paper documents.

3. Securely delete all electronic PHI from computer hard drives and other storage media.

4. Use encryption software for computers and other devices containing PHI.

5. Use data deletion software that meets industry standards for securely deleting electronic PHI.

6. Store backup tapes offsite in a secure location with restricted access.

7. Monitor all disposal activities and document them for review by auditors.

8. Educate staff on the importance of proper disposal of PHI.

By being aware of these common mistakes and taking steps to address them, organizations can ensure that they remain compliant with HIPAA regulations and protect the confidential health information of their patients.

At Axeleos, we provide comprehensive HIPAA security solutions to help organizations stay compliant and keep their data safe with our flagship service, MediGuard. Our team of experts can provide you with the tools and guidance necessary to keep your data secure and ensure your organization remains in compliance with all applicable regulations.

Contact us today to get started on a comprehensive HIPAA security solution for your organization.